Heartland Breach Cost Company $12.6 Million So Far

Heartland Payment Systems reported on Thursday that the hack it experienced last year has cost the company $12.6 million so far. The amount includes legal costs and fines from Visa and MasterCard, who say the company was not compliant with payment card industry rules.

The executives also refuted MasterCard’s claim that Heartland had failed to respond quickly enough or appropriately when the company was first notified last year that it might have been breached. Heartland said it will contest MasterCard’s assertions legally.

Heartland, which processes debit and credit card transactions for 250,000 businesses, first learned late last October that it might have been hacked, after Visa and MasterCard reported a pattern of suspicious transactions. But the company was initially unable to determine that its system had indeed been breached.

Robert Baldwin, the company’s president and chief financial officer, told Threat Level last January that it had received conflicting information that led it to believe the leak may have sprung outside of Heartland’s systems.

“Some of the information they gave us threw us off the scent,” he said. “There were transactions that hadn’t crossed our platform.”

About nearly three months later, Heartland discovered, with the help of outside forensic experts, malware that allowed thieves to sniff unencrypted card data as transactions were being authorized in Heartland’s network. The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well.

The company, which is based in New Jersey, did not know how long the sniffer was in its system or how many card accounts might have been compromised, although the company’s web site indicates that it processes about 100 million transactions a month.